healer | 6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe
Size

537KB
MD5

bba95ed00397c01db4d0e4c0d5754375
SHA1

6b94bf3d32f276eb36f62b08b62c2ebc19c3c2d9
SHA256

6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9
SHA512

d5059e8a74659ac592f80a8204a48096c82db0eb2b6c99d2d9c05da3baebe6ee686be14c9370634ba0af41d4dfb6d97a9fc7f66f79bdcbd5d2a29f9c05f5a747
SSDEEP

12288:QMrqy90K3yWET9WQ9L6wk2Bpe66LdZpNUIzH5wR4Cq5EJzzkN:qyz3AT9WOd0LdTN1ZwRiWJzzK

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr498944.exe	healer
behavioral1/memory/2980-15-0x00000000001A0000-0x00000000001AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr498944.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr498944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr498944.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr498944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr498944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr498944.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr498944.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4148-22-0x0000000002700000-0x0000000002746000-memory.dmp	family_redline
behavioral1/memory/4148-24-0x0000000004E40000-0x0000000004E84000-memory.dmp	family_redline
behavioral1/memory/4148-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-38-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-63-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-58-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-55-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-48-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-68-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline
behavioral1/memory/4148-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zius3059.exejr498944.exeku747813.exe

pid process

440 zius3059.exe
2980 jr498944.exe
4148 ku747813.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr498944.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr498944.exe

pid	process
440	zius3059.exe
2980	jr498944.exe
4148	ku747813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr498944.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exezius3059.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zius3059.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4728 sc.exe

pid	process
4728	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exezius3059.exeku747813.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zius3059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku747813.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr498944.exe

pid process

2980 jr498944.exe
2980 jr498944.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr498944.exeku747813.exe

description pid process

Token: SeDebugPrivilege 2980 jr498944.exe
Token: SeDebugPrivilege 4148 ku747813.exe

pid	process
2980	jr498944.exe
2980	jr498944.exe

description	pid	process
Token: SeDebugPrivilege	2980	jr498944.exe
Token: SeDebugPrivilege	4148	ku747813.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exezius3059.exe

description	pid	process	target process
PID 1740 wrote to memory of 440	1740	6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe	zius3059.exe
PID 1740 wrote to memory of 440	1740	6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe	zius3059.exe
PID 1740 wrote to memory of 440	1740	6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe	zius3059.exe
PID 440 wrote to memory of 2980	440	zius3059.exe	jr498944.exe
PID 440 wrote to memory of 2980	440	zius3059.exe	jr498944.exe
PID 440 wrote to memory of 4148	440	zius3059.exe	ku747813.exe
PID 440 wrote to memory of 4148	440	zius3059.exe	ku747813.exe
PID 440 wrote to memory of 4148	440	zius3059.exe	ku747813.exe

C:\Users\Admin\AppData\Local\Temp\6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe
"C:\Users\Admin\AppData\Local\Temp\6ce7984da9ed0cb904bbabb3b15c3ee2a5cb7f20afa8fc19e04673346e61d8c9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius3059.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius3059.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr498944.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr498944.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku747813.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku747813.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zius3059.exe

Filesize
395KB

MD5
2912549906c421946947980c43e04444

SHA1
f7f24dfc8ee2a1cafb2d6e58876c8eea4f5fed51

SHA256
c94f2d0862c7876abade79856e4dbc7b6351cc63c75807bd880d5ae79245e41c

SHA512
e95bbcf2868cb912496fe413ef442b469421539b5e415378b25583d894e369ddc30bafa03ed3285f113f00403a48e4da007598f4af127b8fd8d283080a7bee78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr498944.exe

Filesize
14KB

MD5
57ac6fec4f2ea8f48781b8546180c0c4

SHA1
4865feaa5eac7b178a74b6870c66cf13092971e9

SHA256
9d2365dfa2fff7e5f559cd3f91be02f4692d8a8083716a0bd0dcc9318717ef37

SHA512
579cfd3dc0ee237e18c8e178b1af91df2fff5cbe41234ed96166e6d056d06c193b898c3a8a624a9fa3b81df6142033f1d8dbe9235f61fe467c6ad8f386e60dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku747813.exe

Filesize
352KB

MD5
d1cb3d443d4ff5f808335cd6d81f8f2a

SHA1
bb4e1ff0f522b07941a6ba0e015b0f687ce78b0e

SHA256
f662b166fd652b89ebc0d3b41f5bb0f23e2e49e69f45877bb9abac5af48c6aeb

SHA512
1ced3da775956efdf3c061766232745cb94ec3214d8020b46b43ad0c0d63062b22c3c45294353adc179f82430bfb18db972fa404f592ccae55b6d8e71b481098

Download Submit
memory/2980-14-0x00007FFA80A13000-0x00007FFA80A15000-memory.dmp

Filesize
8KB

Download
memory/2980-15-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2980-16-0x00007FFA80A13000-0x00007FFA80A15000-memory.dmp

Filesize
8KB

Download
memory/4148-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-55-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-24-0x0000000004E40000-0x0000000004E84000-memory.dmp

Filesize
272KB

Download
memory/4148-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-38-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-22-0x0000000002700000-0x0000000002746000-memory.dmp

Filesize
280KB

Download
memory/4148-63-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-58-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-23-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/4148-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-48-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-68-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp

Filesize
252KB

Download
memory/4148-931-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4148-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4148-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/4148-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/4148-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download